Chinese Hackers Exploit SharePoint Flaws to Deploy Backdoors, Ransomware, and Loaders

Threat Score:
69
5 articles
100.0% similarity
1 day ago

Activity Timeline

5 articles
Click to navigate
Aug 03
Aug 04
Aug 05
Aug 06
Aug 06
Oldest
Latest

Key Insights

1
Chinese threat actor Storm-2603 is exploiting SharePoint vulnerabilities, deploying advanced malware suite Project AK47, which includes backdoors and ransomware as part of a financially motivated campaign.
2
The ToolShell exploit chain affects multiple SharePoint versions, with critical vulnerabilities identified as CVE-2025-49704, CVE-2025-49706, CVE-2025-53770, and CVE-2025-53771, allowing remote code execution.
3
Microsoft reported that at least three state-affiliated Chinese groups, including Linen Typhoon, Violet Typhoon, and Storm-2603, have exploited these vulnerabilities, leading to breaches in 148 organizations globally.
4
Unit 42 researchers noted the use of a custom malware suite named Project AK47, which includes a backdoor supporting DNS and HTTP protocols, and ransomware known as X2ANYLOCK, named after its file extension.
5
The exploitation of SharePoint vulnerabilities has resulted in unauthorized access to sensitive systems, including those belonging to the National Nuclear Security Administration and the Department of Homeland Security.
6
Researchers have observed a significant increase in ransomware activity, specifically the deployment of the 4L4MD4R ransomware variant, with demands of 0.005 Bitcoin for decryption.

Threat Overview

Recent investigations by cybersecurity researchers have revealed that Chinese threat actor Storm-2603 has been exploiting critical vulnerabilities in Microsoft SharePoint, deploying an advanced malware suite known as Project AK47. This campaign has been active since at least March 2025 and has already compromised numerous organizations, including sensitive government entities. According to Microsoft, the vulnerabilities identified as CVE-2025-49704, CVE-2025-49706, CVE-2025-53770, and CVE-2025-53771 allow for remote code execution, which can lead to unauthorized access and lateral movement within networks. 'These vulnerabilities have been actively exploited by at least three state-affiliated Chinese groups,' Microsoft stated, highlighting the severity of the situation. Unit 42 researchers from Palo Alto Networks have linked the exploit chain to a malware suite that includes multi-protocol backdoors, ransomware, and loaders, indicating a sophisticated level of threat. The ransomware variant, X2ANYLOCK, has been observed in the wild, demanding ransom payments in Bitcoin. Furthermore, the use of shared Tox IDs and links to known ransomware campaigns suggest a coordinated effort among various threat actors. The ToolShell exploit chain was first identified during a hacking competition in May 2025, with Microsoft releasing patches only in July. During the interim, several systems were breached, raising concerns about the security of government agencies such as the National Nuclear Security Administration and the Department of Homeland Security. As the situation evolves, experts recommend immediate patching of affected SharePoint versions to mitigate the risks associated with these vulnerabilities. Cybersecurity officials are urging organizations to review their security postures and implement robust defensive measures to prevent exploitation of these vulnerabilities in the future.

Tactics, Techniques & Procedures (TTPs)

T1190
Exploit Public-Facing Application - Attackers are leveraging the ToolShell exploit chain to gain unauthorized access to SharePoint servers [1][3]
T1059.001
Command and Scripting Interpreter - The malware suite includes PowerShell scripts designed to disable security monitoring and execute payloads [5]
T1566
Phishing - Attackers are utilizing spearphishing techniques to deliver malicious payloads to targeted users [2][4]
T1071.001
Application Layer Protocol: Web Protocols - Project AK47 utilizes DNS and HTTP for command and control communications [1][2]
T1486
Data Encrypted for Impact - The ransomware variant X2ANYLOCK encrypts files on the compromised systems, demanding ransom [4]
T1053
Scheduled Task/Job - The malware maintains persistence through scheduled tasks to execute malicious components [4]
T1105
Ingress Tool Transfer - Attackers download additional payloads and tools post-compromise to facilitate further exploitation [5]

Timeline of Events

2025-03-01
Activity cluster CL-CRI-1040 identified as exploiting SharePoint vulnerabilities [2]
2025-05-15
ToolShell exploit chain first reported at a hacking competition [3]
2025-06-15
Microsoft acknowledges multiple state-affiliated Chinese groups exploiting SharePoint vulnerabilities [5]
2025-07-01
Microsoft releases patches for SharePoint vulnerabilities [3]
2025-07-27
Discovery of the 4L4MD4R ransomware variant linked to the ToolShell exploits [5]
2025-08-01
Unit 42 publishes findings on Project AK47 and its capabilities [1]
2025-08-05
Microsoft confirms breaches of at least 148 organizations due to these vulnerabilities [4]
2025-08-06
Ongoing investigations into additional threat actors utilizing the vulnerabilities [2]

Source Citations

expert_quotes: {'Unit 42': 'Article 2', 'Microsoft': 'Article 3', 'Palo Alto Networks': 'Article 1'}
primary_findings: {'Exploitation evidence': 'Articles 2, 4, 5', 'CVE details and patches': 'Articles 1, 2, 3', 'Vulnerable instance count': 'Article 5'}
technical_details: {'Attack methods': 'Articles 1, 2, 4, 5', 'Persistence techniques': 'Articles 3, 4'}
Powered by ThreatCluster AI
Generated 17 hours ago
Recent Analysis
AI analysis may contain inaccuracies

Related Articles

5 articles
1

Chinese Hackers Exploit SharePoint Flaws to Deploy Backdoors, Ransomware, and Loaders

GB Hackers 22 hours ago

Chinese Hackers Exploit SharePoint Flaws to Deploy Backdoors, Ransomware, and Loaders Unit 42 researchers have identified significant overlaps between Microsoft’s reported ToolShell exploit chain targeting SharePoint vulnerabilities and a tracked activity cluster dubbed CL-CRI-1040. This cluster, active since at least March 2025, deploys a custom malware suite named Project AK47, comprising multi-protocol backdoors,ransomware, and DLL side-loading loaders. Microsoft’s analysis attributes the act

Score
60
100.0% similarity
Read more
2

Chinese Hackers Exploit SharePoint Vulnerabilities to Deploy Toolsets Includes Backdoor, Ransomware and Loaders

Cybersecurity News 21 hours ago

A sophisticated Chinese threat actor has been exploiting critical vulnerabilities in Microsoft SharePoint to deploy an advanced malware toolset dubbed “Project AK47,” according to new research published by Palo Alto Networks Unit 42. The campaign, which has been active since at least March 2025, represents a significant escalation in attacks targeting enterprise SharePoint environments through […]

Score
58
100.0% similarity
Read more
3

Ransomware gangs join attacks targeting Microsoft SharePoint servers

BleepingComputer 2 days ago

Ransomware gangs join attacks targeting Microsoft SharePoint servers Sergiu Gatlan August 4, 2025 07:26 AM 0 Ransomware gangs have recently joined ongoing attacks targeting a Microsoft SharePoint vulnerability chain, part of a broader exploitation campaign that has already led to the breach of at least 148 organizations worldwide. Security researchers at Palo Alto Networks' Unit 42 have discovered a 4L4MD4R ransomware variant, based on open-sourceMauri870code, while analyzing incidents involving

Score
57
95.0% similarity
Read more
4
Project AK47: Uncovering a Link to the SharePoint Vulnerability Attacks

Project AK47: Uncovering a Link to the SharePoint Vulnerability Attacks

Palo Alto Unit 42 1 day ago

Threat Research Center Threat Research Vulnerabilities Project AK47: Uncovering a Link to the SharePoint Vulnerability Attacks By:Hiroaki HaraMark Lim Hiroaki Hara Mark Lim Published:August 5, 2025 Categories:Threat ResearchVulnerabilities Threat Research Vulnerabilities Tags:BackdoorCL-CRI-1040CVE-2025-49704CVE-2025-49706CVE-2025-53770CVE-2025-53771LockBitMicrosoftSharePointStorm-2603 Backdoor CL-CRI-1040 CVE-2025-49704 CVE-2025-49706 CVE-2025-53770 CVE-2025-53771 LockBit Microsoft SharePoint S

Score
51
95.0% similarity
Read more
5

Microsoft Used China-Based Engineers to Maintain Vulnerable SharePoint

Techrepublic 3 days ago

Microsoft used an engineering team based in China to support SharePoint before its vulnerabilities were patched. The application was exploited by at least three state- Chinese threat groups last month. What is the China connection to the ToolShell SharePoint exploit? An exploit chain for aremote code execution (RCE) attack on on-premises SharePoint serversdubbed ToolShell was first identified at a hacking competition in May; however, Microsoft didn’t put out patches for the vulnerabilities that

Score
51
100.0% similarity
Read more